SANS ISC InfoSec Forums

We are offering a simple (IMHO) API to allow you to script various queries against our databases. One dataset we offer is a list of IP addresses that are scanning the internet for exposed services. The most prominent of these services is likely Shodan. To avoid having any devices from your organization show up in Shodan, you may want to block all scans from known Shodan hosts. We do create a list of these IP addresses and update it daily. The respective API query to retrieve the list is:

https://isc.sans.edu/api/threatlist/shodan/

By default, the list is returned as XML. But it is pretty easy to change the format. All you need to do is add ?json, ?text ... This will make processing with simple scripts rather easy. The "text" format is probably easiest to process with shell tools, but just in case the format is changing later in some subtle way, it is probably safest to use JSON and have the "jq" utility parse it:

"LOGDROP is a table that will log the packet and drop it. You could also just drop it here, but this would be a bit dangerous as you wouldn't see these dropped packets in your logs which makes debugging problems extra fun.

For a full list of our API functions, see https://isc.sans.edu/api . Please note to use your e-mail address as a user agent. We do not require authentication, but if your script causes issues, then it would be nice if we can check with you vs. just block you.

although i do have to say that if you run the full gambit of all the threat feeds and their ip addresses, the total amount is somewhere around 160K. So it should be noted and recognized that ipset can only hold up to 65535 items in a set. you can however make more than one set xD... anyway